Microsoft recently stated that “Cloud Native is no longer an option” and that you need to take action now. With that statement, I would like to revisit Windows Autopilot Device Preparation in Microsoft Intune.
Windows Autopilot Device Preparation was announced on May 28, 2024, and reached general availability in June 2024. It represents a major step forward in modern device provisioning for Windows 11 environments. However, after its release, it quickly became apparent that this option was not yet considered “usable” by everyone, with many limitations compared to traditional Windows Autopilot for production use. Significant work has been done on this recently, and Microsoft has more to offer in the future.
In this blog post, let’s take a look at where Windows Autopilot Device Preparation stands today and how it differs from the old familiar Windows Autopilot.
What is Windows Autopilot Device Preparation?
Windows Autopilot Device Preparation is Microsoft’s next-generation provisioning experience designed to simplify and accelerate the setup of Windows 11 devices. Unlike traditional Windows Autopilot, this new approach removes the need for hardware hash collection and focuses on a streamlined, cloud-native process.
With Windows Autopilot Device Preparation, the out-of-box experience (OOBE) handles everything:
- Microsoft Entra ID join
- Microsoft Intune enrollment
- Installation of essential apps and scripts (up to 10)
- Real-time monitoring and diagnostics
This makes deployments faster, more predictable, and easier to troubleshoot.
Windows Autopilot Device Preparation transforms a device’s existing OEM-installed Windows into a business-ready state, without requiring custom images or hardware hash registration. Users sign in at OOBE, and the device automatically joins Microsoft Entra ID and Microsoft Intune. It then installs a curated set of essential apps and scripts within the out-of-the-box experience. It delivers fast and consistent provisioning, near real-time monitoring and troubleshooting, and eliminates the need for hardware hashing.
Why Choose Windows Autopilot Device Preparation?
Choose Windows Autopilot Device Preparation if you want:
- Faster, simpler provisioning
- No hardware hash collection
- Real-time visibility
- Windows 11 and Entra ID-only environments
Choose Classic Windows Autopilot if you need:
- Microsoft Entra Hybrid join/Microsoft Entra Join
- Advanced customization for OOBE
- Broader device and OS support
Comparison
| Feature | Device Preparation (V2) | Classic Autopilot (V1) |
|---|---|---|
| Hardware hash upload | No | Yes |
| Join types supported | Entra ID only | Entra & Hybrid |
| Deployment modes | User-driven, automatic | User-driven, self-deploy, pre-provision |
| App/script deployment | Device-based during OOBE; up to 10 | Device + user during ESP; many |
| Monitoring | Near real-time diagnostics | Basic reporting |
| Supported devices | Windows 11 PCs/VMs; GCCH/DoD | Windows 10/11, HoloLens, Teams Room |
| Customization | Limited OOBE tweaks | Full OOBE customization |
| Pre-provisioning/self-deploy | No | Yes |
How to configure?
Requirements
Some requirements we must meet for Windows Autopilot Device Preparation:
- Windows 11 24h2 (aanbevolen), Windows 11 23h2 with KB5035942 or later
- Windows 11 Pro, Enterprise, or Education
- Microsoft Intune license
- Microsoft Entra ID P1 or P2
- Device group for Enrollment Time Grouping
Microsoft Entra ID
The first thing we need is two Microsoft Entra ID groups, one user group, and one assigned device group, based on Enrollment Time Grouping. Before we get started with configuration, it is also important to talk a little about Enrollment Time Grouping.
Enrollment Time Grouping
Enrollment Time Grouping in Microsoft Intune is a feature designed to accelerate device provisioning by adding devices to a security group during enrollment, rather than waiting until after the process completes.
Instead of waiting for dynamic group membership updates after enrollment, as we did before, which could take a while, Enrollment Time Grouping ensures the device is immediately part of a designated security group as soon as it’s enrolled. This enables Microsoft Intune to deliver required apps, configurations, and policies right away, reducing setup delays and improving time-to-productivity for users.
To configure it, you create a static Microsoft Entra ID security group, assign the Intune Provisioning Client as its owner, and link it to the Windows Autopilot Device Preparation profile. I’ll show you during our configuration. Let’s go!
Microsoft Entra ID – Device Group
As discussed earlier, we will first create our Microsoft Entra ID security group for Enrollment Time Grouping. This is an assigned device group that we will make the Intune Provisioning Client (Enterprise application) the owner of.
INFORMATION: Chances are that this Enterprise Application has a different name on your tenant. It is important then that you make sure that the one with AppID f1346770-5b25-470b-88bd-d5744ab7952c is the one you make the owner of the group.
Also, make sure you create an assigned user group. Dynamic groups are NOT supported!
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and select Create.
- Group type: Security
- Group Name: WIN – DVC – Windows Autopilot Device Preparation
- Group Description: Enrollment Time Grouping – Windows Autopilot Device Preparation
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Owner: Intune Provisioning Client (f1346770-5b25-470b-88bd-d5744ab7952c)
Microsoft Entra ID – User Group
Since there is no device association (yet), as is the case with the classic Windows Autopilot, we will assign our Windows Autopilot Device Preparation policy to a user group.
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and select Create.
- Group type: Security
- Group Name: WIN – USR – Windows Autopilot Device Preparation
- Group Description: User group for Windows Autopilot Device Preparation
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
Ensure that you add the necessary users to this group for the use of Windows Autopilot Device Preparation.
Corporate Device Identifier
If your Microsoft Intune environment is equipped with MDM hardening, there is a chance that enrollment for personal devices is blocked in the Device Platform Restrictions.
The devices for Windows Autopilot Device Preparation will be considered Personal devices and will fail during enrollment. We can solve this by using Corporate Device Identifiers.
Corporate Device Identifiers are unique device identifiers (such as serial numbers or IMEI) that Microsoft Intune uses to mark a device as Corporate as soon as it enrolls.
This distinction allows organizations to apply stricter policies to company devices and restrict the enrollment of personal devices.
INFORMATION: Corporate Device Identifiers for Windows are only supported on Windows 11 23h2 or later.
To enter a Windows Device as a Corporate Device Identifier, we need three pieces of information about the device: Manufacturer, Model, and Serial Number.
I have a script for this that puts this information in a .csv file, which you can download from my GitHub page here.
# Get system information
$computerSystem = Get-CimInstance Win32_ComputerSystem
$bios = Get-CimInstance Win32_BIOS
# Create an object with the desired properties
$deviceInfo = [PSCustomObject]@{
Manufacturer = $computerSystem.Manufacturer
Model = $computerSystem.Model
SerialNumber = $bios.SerialNumber
}
# Define output path
$csvPath = "$PSScriptRoot\DeviceInfo.csv"
# Export to CSV without headers
$deviceInfo |
ConvertTo-Csv -NoTypeInformation |
Select-Object -Skip 1 |
Set-Content -Path $csvPath
# Green success message
Write-Host "Device information exported (without headers) to $csvPath" -ForegroundColor GreenRunning this script will result in a .csv file like this:
Microsoft Corporation,"Microsoft Surface Laptop, 7th Edition","serialnumber"Now, let’s go and add the Corporate Device Identifier for our device. Make sure you know where to find your .csv file.
Go to the Microsoft Intune admin center | Devices | Enrollment and go to the Corporate Device identifiers blade and choose Add. Choose to Upload CSV file.
Now choose the following and then select Add.
- Select identifier type: Manufacturer, model and serial number (Windows only)
- Import identifiers: Choose your .csv file
Your Corporate Device Identifier will start importing
Once the device is added, you’ll notice it’s now shown in the Corporate Device Identifiers list.
We are now ready to create our Windows Autopilot Device Preparation policy
Device Preparation Policy
Next up is our Windows Autopilot Device Preparation policy. But before we start, it is important that the device we are going to enroll via Windows Autopilot Device Preparation is no longer registered in the classic Windows Autopilot. If this is the case, the device will be enrolled in the classic way.
Go to the Microsoft Intune admin center | Devices | Windows | Enrollment | Windows Autopilot Device Preparation and choose Device preparation policies.
Choose Create, and we are going to create a User Driven policy.
Like any well-trained administrator, we first read the Introduction and then select Next.
In the Basics screen, set the following, and choose Next.
- Name: WIN – Windows Autopilot Device Preparation
- Description: This profile will enable Windows Autopilot Device Preparation
In the Device group screen, make sure to select our “Enrollment Time Grouping” device group. Don’t use a regular assigned group; it will fail. After selecting your group, choose Next.
In the Configuration settings screen, we have several topics to configure, namely Deployment settings, Out-of-the-box experience, Apps, and Scripts. Let’s configure them topic by topic.
After we have entered all the settings, you choose Next. Please note that all apps and scripts must have the created device group assigned.
You can skip Scope Tags for now, and in the Assignments screen, choose the user group we previously created and choose Next.
Review your settings and choose Save.
Your Windows Autopilot Device Preparation policy is now ready for use.
Now, let’s enroll a device and see what the experience is.
End-User Experience
In the video below, we see what enrollment looks like from the end user’s perspective.
INFORMATION: In our Windows Autopilot Device Preparation profile, we have enabled and configured the option Apply device name template. If we now look at our device, we still see a generic name.
This is because this option is associated with Windows Autopilot Device Association and is currently still in Private Preview. So for now, these settings won’t really work. Stay tuned for more news about this option very soon.
Monitoring
Corporate Identifier
As mentioned earlier, we used a Corporate Device Identifier to specifically allow a device for enrollment because personally owned devices are blocked. If we now go back to our Corporate Device Identifier, we see that the status and last contacted information have changed.
Enrollment monitoring
An advantage of rolling out via Windows Autopilot Device Preparation is the near real-time monitoring.
Go to the Microsoft Intune admin center | Devices | Monitor and choose Windows Autopilot device preparation deployment status
Device
In the Device tab, you will find general information about the device, such as Device Name, Deployment Status, Device ID, etc. The most important thing here is that you can monitor the status of your deployment.
Apps
In the Apps part, you can monitor the app install status of the apps you selected in the Windows Autopilot Device Preparation profile. You’ll notice two statuses, Skipped and Installed.
- Skipped: This means either the application is already present in the OS version (this was the case with the Microsoft 365 Copilot app), or the application wasn’t assigned the correct group (remember the Enrollment Time Grouping group we’ve created)
- Installed: The app was correctly assigned and installed with success.
Scripts
In the last tab, Scripts, you can monitor the Scripts install status of the ones you selected in the Windows Autopilot Device Preparation profile. Here, you’ll also notice two statuses, Skipped and Installed.
- Skipped: This means the script wasn’t assigned to the correct group.
- Installed: The script was correctly assigned and deployed with success.
Conclusion
Now that Microsoft says that “Cloud Native is no longer optional“, I think Windows Autopilot Device Preparation could play a more significant role here and therefore deserves more attention. This Windows Autopilot Device Preparation feature is for Cloud Native enthusiasts who no longer have to worry about Microsoft Entra Hybrid Join and can fully focus on Microsoft Entra Join. With the upcoming additions to Windows Autopilot Device Preparation I think it could become a worthy competitor to the classic Windows Autopilot. So, as Microsoft says, Cloud Native is no longer optional! Act now!
